差異處
這裏顯示兩個版本的差異處。
| Both sides previous revision 前次修改 下次修改 | 前次修改 | ||
|
openssl [2016/08/28 13:09] jz |
openssl [2018/12/29 21:34] (目前版本) jz |
||
|---|---|---|---|
| 行 1: | 行 1: | ||
| - | ====== Gen key ====== | + | ====== OpenSSL ====== |
| + | ===== Generate a Key ===== | ||
| + | <code> | ||
| openssl genrsa -out cakey.pem 4096 | openssl genrsa -out cakey.pem 4096 | ||
| + | </code> | ||
| - | ====== Gen CA ====== | + | ===== Generate CA ===== |
| + | <code> | ||
| openssl req -x509 -new -nodes -key cakey.pem -days 3650 -out cacert.pem | openssl req -x509 -new -nodes -key cakey.pem -days 3650 -out cacert.pem | ||
| + | </code> | ||
| - | -------------------------------------------------------------------------------------------------------- | + | ===== Generate Cert key ===== |
| - | ====== Gen cert key ====== | + | <code> |
| openssl genrsa -out key.pem 4096 | openssl genrsa -out key.pem 4096 | ||
| + | </code> | ||
| - | ====== Gen csr ====== | + | ===== Generate CSR ===== |
| + | <code> | ||
| openssl req -new -key key.pem -out csr.pem -sha256 | openssl req -new -key key.pem -out csr.pem -sha256 | ||
| + | </code> | ||
| - | ====== Gen DH ====== | + | ===== Gen DH ===== |
| + | <code> | ||
| openssl dhparam -out dh.pem 2048 | openssl dhparam -out dh.pem 2048 | ||
| + | </code> | ||
| - | ====== Self-signed ====== | + | ===== Self-signed ===== |
| + | <code> | ||
| openssl x509 -req -in csr.pem -CA cacert.pem -CAkey cakey.pem -CAcreateserial -out cert.pem -days 365 | openssl x509 -req -in csr.pem -CA cacert.pem -CAkey cakey.pem -CAcreateserial -out cert.pem -days 365 | ||
| + | </code> | ||
| - | Convert to pfx format | + | ==== Convert to pfx format ==== |
| + | <code> | ||
| openssl pkcs12 -export -out myserver.pfx -inkey myserver.key -in myserver.crt | openssl pkcs12 -export -out myserver.pfx -inkey myserver.key -in myserver.crt | ||
| + | </code> | ||
| - | Verify cert | + | ===== Single Cert ===== |
| - | openssl x509 -noout -text -in cert.pem | + | <code> |
| - | openssl req -noout -text -in | + | |
| - | + | ||
| - | ====== Single cert ====== | + | |
| openssl genrsa -out bluenet-ride.com.key 4096 | openssl genrsa -out bluenet-ride.com.key 4096 | ||
| openssl req -new -key registry.bluenet-ride.com.key -out registry.bluenet-ride.com.key.csr | openssl req -new -key registry.bluenet-ride.com.key -out registry.bluenet-ride.com.key.csr | ||
| openssl x509 -req -days 365 -in bluenet-ride.com.csr -signkey bluenet-ride.com.key -out bluenet-ride.com.crt | openssl x509 -req -days 365 -in bluenet-ride.com.csr -signkey bluenet-ride.com.key -out bluenet-ride.com.crt | ||
| + | </code> | ||
| - | ------ | + | ===== Convert to PKCS12 format ===== |
| + | <code> | ||
| openssl pkcs12 -inkey bob_key.pem -in bob_cert.cert -export -out bob_pfx.pfx | openssl pkcs12 -inkey bob_key.pem -in bob_cert.cert -export -out bob_pfx.pfx | ||
| + | </code> | ||
| + | |||
| + | ===== View cert ===== | ||
| + | <code> | ||
| + | openssl s_client -showcerts -connect encrypted.google.com:443 < /dev/null 2> /dev/null | openssl x509 -noout -enddate | ||
| + | openssl x509 -noout -text -in cert.pem | ||
| + | openssl req -noout -text -in req.pem | ||
| + | </code> | ||
| + | |||
| + | |||
| + | ===== Trust CA system-wide ===== | ||
| + | <code> | ||
| + | trust anchor ca.crt | ||
| + | # trust anchor --remove ca.crt | ||
| + | </code> | ||
| + | |||
| + | **Ref:** | ||
| + | |||
| + | * https://unix.stackexchange.com/questions/104623/how-to-get-servers-ssl-certificate-in-a-human-readable-form | ||
| + | * https://bbs.archlinux.org/viewtopic.php?id=235724 | ||
